[Micronet] [Announce] "Locky" Ransomware Delivered via Email Attachments
SUMMARY
===
Information Security and Policy has received confirmed reports of recent
attempts to deliver the "Locky" family of Ransomware via malicious email
attachments. [1] [2]
The most recent attempts come from forged @berkeley.edu email addresses
(such as from the recipient's own email address) with Subject lines like
(note that they vary greatly):
* Document80
* Scan381
* Document5
* Doc242
* Scan0
Accompanying these emails are .ZIP file attachments (e.g. Document80.zip)
containing malicious JavaScript, Office documents with macros, or other
payloads.
The bConnected team is working closely with ProofPoint and Google to
quarantine these malicious emails before they reach campus email accounts.
However, there are many Locky variants and delivery methods used by
attackers, and sometimes these malicious emails will inevitably reach their
target.
Campus users are advised to be vigilant as Ransomware like Locky can be
extremely destructive. See the Recommendations section for guidance.
Supervisors are encouraged to circulate this Security Alert to their
departments.
IMPACT
===
Locky and other similar Ransomware will rename and scramble (encrypt) files
including videos, images, documents, and Office files rendering them
unreadable by their owner.
Only the criminal attackers that delivered the Ransomware will have the
decryption key necessary to unscramble your data, demanding payment
("ransom") in exchange for unlocking and returning your data to you.
These families of Ransomware can be particularly destructive if you do not
have secure and recent backups of your important files. Locky will also
crawl mounted network file shares and scramble any files it finds.
VULNERABLE
===
* Locky Ransomware can be delivered in a variety of different ways.
* Users that have enabled auto-execution of macros in Microsoft Office
documents are at significant risk as malicious Office documents is a
primary delivery method used by attackers dropping Locky.
* Systems that have unpatched software such as out-of-date web browsers or
Adobe Flash can also be susceptible to compromise as unpatched
vulnerabilities can be exploited to deliver the Ransomware.
RECOMMENDATIONS
===
Per the Sophos security article on Locky referenced below, here is what to
do to protect yourself against Locky and other Ransomware threats:
* Backup regularly and keep a recent backup copy encrypted on a separate
system. There are dozens of ways other than Ransomware that files can
suddenly vanish, such as fire, flood, theft, a dropped laptop or even an
accidental delete. Encrypt your backup and you won’t have to worry about
the backup device falling into the wrong hands.
* Don’t enable macros in document attachments received via email. Microsoft
deliberately turned off auto-execution of macros by default many years ago
as a security measure. A lot of malware infections rely on persuading you
to turn macros back on, so don’t do it!
* Be cautious about unsolicited attachments. The crooks are relying on the
dilemma that you shouldn’t open a document until you are sure it’s one you
want, but you can’t tell if it’s one you want until you open it. If in
doubt, leave it out.
* Don’t give yourself more login power than you need. Most importantly,
don’t stay logged in as an administrator any longer than is strictly
necessary, and avoid browsing, opening documents or other “regular work”
activities while you have administrator rights.
* Review network file share permissions. System administrators should use
this as an opportunity to review file share permissions for users and
groups, using the principle of least privilege. Damage to network file
shares (e.g. departmental share) can sometimes be limited using strict
permissions. [3]
* Consider installing the Microsoft Office viewers. These viewer
applications let you see what documents look like without opening them in
Word or Excel itself. In particular, the viewer software doesn’t support
macros at all, so you can’t enable macros by mistake!
* Patch early, patch often. Malware that doesn’t come in via document
macros often relies on security bugs in popular applications, including
Office, your browser, Adobe Flash and more. The sooner you patch, the fewer
open holes remain for the crooks to exploit.
* Learn how to spot suspicious emails by visiting our Phishing resources
page. [4]
REFERENCES
===
[1] https://en.wikipedia.org/wiki/Ransomware
[2]
https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/
[3] https://en.wikipedia.org/wiki/Principle_of_least_privilege
[4] https://security.berkeley.edu/resources/phishing
A web version of this Security Alert is available at:
https://security.berkeley.edu/news/locky-ransomware-delivered-email-attachments
Regards,
Josh
==
Josh Kwan <jkwan...@berkeley.edu>
Security Analyst
Information Security and Policy
University of California, Berkeley
htt
Re: [Micronet] [Announce] Adobe Flash Player Multiple Zero-Day Vulnerabilities (CVE-2016-1010)
Thanks Ian. I agree, just uninstall Flash Player if you do not use it. Or if you must use it, use FireFox or Chrome with Click-to-Play for plugin content enabled. See our FAQs on how to enable Click-to-Play here: https://security.berkeley.edu/faq/web-browsing Many Microsoft Windows users will need to update regardless, as Adobe Flash Player libraries are included in the Internet Explorer 10, 11, and Microsoft Edge browsers. Josh == Josh Kwan <jkwan...@berkeley.edu> Security Analyst Information Security and Policy University of California, Berkeley https://security.berkeley.edu On Fri, Mar 11, 2016 at 11:58 AM, Ian Crew <ic...@berkeley.edu> wrote: > Hi all: > > It may not be appropriate for everyone, but I removed flash (Windows > <https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html> > , Mac OS > <https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html>) > from my machine over a year ago, and I really don’t miss it. For those > rare times I do need it, I just open the page in Chrome, which includes a > built-in Flash interpreter (that seems to have fewer security issues than > the Adobe plugins). > > Something to consider as a response to the continuing litany of zero-day > Flash exploits… > > Cheers, > > Ian > > On Mar 11, 2016, at 11:53 AM, Josh Kwan <jkwan...@berkeley.edu> wrote: > > SUMMARY > === > Adobe has released security updates for Adobe Flash Player that addresses > critical vulnerabilities. This patch update covers multiple Common > Vulnerabilities and Exposures identifiers (CVE) as noted in Adobe Security > Bulletin APSB16-08. [1] > > In conjunction with these flaws, Microsoft has issued an out-of-band patch > for Adobe Flash Player when on all supported editions of Windows 8.1, > Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows > 10. The Microsoft update addresses the vulnerabilities in Adobe Flash > Player by updating the affected Adobe Flash libraries contained within > Internet Explorer 10, Internet Explorer 11, and Microsoft Edge. [2] > > > IMPACT > === > This set of updates covers vulnerabilities rated as critical by both Adobe > and Microsoft. Attackers can remotely take control of affected systems if > exploitation is successful. Adobe has noted that there are reports of > CVE-2016-1010 already being exploited in targeted attacks. [1] > > > VULNERABLE > === > * Adobe Flash Player Desktop Runtime, 20.0.0.306 and earlier (Windows and > Macintosh) > * Adobe Flash Player Extended Support Release, 18.0.0.329 and earlier > (Windows and Macintosh) > * Adobe Flash Player for Google Chrome, 20.0.0.306 and earlier (Windows, > Macintosh, Linux and * ChromeOS) > * Adobe Flash Player for Microsoft Edge and Internet Explorer 11, > 20.0.0.306 and earlier (Windows 10) > * Adobe Flash Player for Internet Explorer 11, 20.0.0.306 and earlier > (Windows 8.1) > * Adobe Flash Player for Linux, 11.2.202.569 and earlier (Linux) > * AIR Desktop Runtime, 20.0.0.260 and earlier (Windows and Macintosh) > * AIR SDK, 20.0.0.260 and earlier (Windows, Macintosh, Android and iOS) > * AIR SDK & Compiler, 20.0.0.260 and earlier (Windows, Macintosh, Android > and iOS) > * AIR for Android, 20.0.0.233 and earlier (Android) > > > RECOMMENDATIONS > === > * Users and service providers are advised to patch affected systems > immediately. > * For non-Microsoft platforms, please consult Adobe Security Bulletin > APSB16-08 [1] > * For Microsoft platforms, please consult Microsoft Security Bulletin > MS16-036 [2] > > > REFERENCES > === > [1] https://helpx.adobe.com/security/products/flash-player/apsb16-08.html > [2] https://technet.microsoft.com/en-us/library/security/MS16-036 > [3] > https://security.berkeley.edu/news/adobe-flash-player-multiple-zero-day-vulnerabilities-cve-2016-1010 > > - > The following was automatically added to this message by the list server: > > To learn more about Micronet, including how to subscribe to or unsubscribe > from its mailing list and how to find out about upcoming meetings, please > visit the Micronet Web site: > > http://micronet.berkeley.edu > > Messages you send to this mailing list are public and world-viewable, and > the list's archives can be browsed and searched on the Internet. This > means these messages can be viewed by (among others) your bosses, > prospective employers, and people who have known you in the past. > > ANNOUNCEMENTS: To send announcements to the Micronet list, please use the > micronet-annou...@lists.berkeley.edu list. > > > ___ > Ian Crew > > IST-Architecture, Platforms and Integration (API
[Micronet] [Announce] New Information Security & Policy Website
Hello, Information Security and Policy (ISP) have migrated our site to the Open Berkeley platform: https://security.berkeley.edu The new site includes: * Theming consistent with the new Berkeley brand toolkit * Responsive, mobile-friendly design * A Services catalog sortable by category * Need help? Try our Resources section to find Software, Training, Best Practices & How-to Articles, and FAQs! * A revamped Contact Us page for when and how to contact our department * An action-driven I Want To... menu to quickly jump to common tasks and application links A copy of this announcement is available on our new site, including a user feedback form (Google Forms): https://security.berkeley.edu/news/new-website-launched-october-1st We'd like to hear your feedback about the site! Thank You, Josh == Josh Kwan <jkwan...@berkeley.edu> Security Analyst Information Security and Policy University of California, Berkeley https://security.berkeley.edu - The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past. ANNOUNCEMENTS: To send announcements to the Micronet list, please use the micronet-annou...@lists.berkeley.edu list.
Re: [Micronet] Campus Directory broken?
It's working for me, but you can still use the old interface AFAIK: https://calnet.berkeley.edu/directory/search.pl Josh -=- Josh Kwan jkwan...@berkeley.edu Security Analyst Information Security and Policy University of California, Berkeley https://security.berkeley.edu On 2/27/15 3:56 PM, Jay Sparks wrote: Hi, I tried several searches using the directory, http://www.berkeley.edu/directory Error: Bad Gateway! The proxy server received an invalid response from an upstream server. The proxy server could not handle the request /GET /directory/results http://www.berkeley.edu/directory/results/. Reason: *Error reading from remote server* Error 502 http://www.berkeley.edu/directory/results wf-web-prod-01 128.32.192.98 Fri Feb 27 15:53:06 2015 Jay - The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past. - The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
